Apple’s Very Different BYOD Philosophy

I am currently polishing off the first draft of my Data Security for iOS 7 paper, and reached one fascinating conclusion during the research which I want to push out early. Apple’ approach is implementing is very different from the way we normally view BYOD. Apple’s focus is on providing a consistent, non-degraded user experience while still allowing enterprise control. Apple enforces this by taking an active role in mediating mobile device management between the user and the enterprise, treating both as equals. We haven’t really seen this before – even when companies like Blackberry handle aspects of security and MDM, they don’t simultaneously treat the device as something the user owns. Enough blather – here you go…

Apple has a very clear vision of the role of iOS devices in the enterprise. There is BYOD, and there are enterprise-owned devices, with nearly completely different models for each. The owner of the device defines the security and management model.

In Apple’s BYOD model users own their devices, enterprises own enterprise data and apps on devices, and the user experience never suffers. No dual personas. No virtual machines. A seamless experience, with data and apps intermingled but sandboxed. The model is far from perfect today, with one major gap, but iOS 7 is the clearest expression of this direction yet, and only the foolish would expect Apple to change any time soon.

Enterprise-owned devices support absolute control by IT, down to the new-device provisioning experience. Organizations can degrade features as much as they want and need, but the devices will, as much as allowed, still provide the complete iOS experience.

In the first case users allow the enterprise space on their device, while the enterprise allows users access to enterprise resources; in the second model the enterprise owns everything. The split is so clear that it is actually difficult for the enterprise to implement supervised mode on an employee-owned device.

We will explain the specifics as we go along, but here are a few examples to highlight the different models.

On employee owned devices:

The enterprise sends a configuration profile that the user can choose to accept or decline.

If the user accepts it, certain minimal security can be required, such as passcode settings.

The user gains access to their corporate email, but cannot move messages to other email accounts without permission.

The enterprise can install managed apps, which can be set to only allow data to flow between them and managed accounts (email). These may be enterprise apps or enterprise licenses for other commercial apps. If the enterprise pays for it, they own it.

The user otherwise controls all their personal accounts, apps, and information on the device.

All this is done without exposing any user data (like the user’s iTunes Store account) to the enterprise.

If the user opts out of enterprise control (which they can do whenever they want) they lose access to all enterprise features, accounts, and apps. The enterprise can also erase their ‘footprint’ remotely whenever they want.

The device is still tied to the user’s iCloud account, including Activation Lock to prevent anyone, even the enterprise, from taking the device and using it without permission.

On enterprise owned devices:

The enterprise controls the entire provisioning process, from before the box is even opened.

When the user first opens the box and starts their assigned device, the entire experience is managed by the enterprise, down to which setup screens display.

The enterprise controls all apps, settings, and features of the device, down to disabling the camera and restricting network settings.

The device can never be associated with a user’s iCloud account for Activation Lock; the enterprise owns it.

This model is quite different from the way security and management were handled on iOS 6, and runs deeper than most people realize. While there are gaps, especially in the BYOD controls, it is safe to assume these will slowly be cleaned up over time following Apple’s usual normal improvement process.

Comments:

If you like to leave comments, and aren't a spammer, register for the site and email us at info@securosis.com and we'll turn off moderation for your account.

By Corey Quinn on 01/16 at 11:35 PM

Interesting. I recently discovered that adding an Exchange account grants the mail admin the ability to remotely wipe my device. Backups make this non-catastrophic, but that would seem to fly in the face of the above-mentioned “Enterprise can merely erase their own footprint” bullet.

By Paul J on 01/17 at 01:12 AM

Great summary Rich. Will the full paper fill in which vendors fully leverage the user-owned device model? Today we have ActiveSync based integration with few gates on shared content, basic security settings, only full device wipe, etc. What of the sandboxing mentioned requires an MDM platform, and which vendors are delivering the full-enchilada?